New in Symfony 4.3: Compromised password validator

A data breach is the intentional or unintentional release of secure or
private/confidential information to an untrusted environment. The
list of data breaches increases every day and, just in the first half of
2018, about 4.5 billion records were exposed, including user passwords.

Users that set their password to any of the publicly exposed passwords are a
serious security problem for web sites and applications. That's why services
like have i been pwned? allow you to check if your password is compromised.

In Symfony 4.3, we've added a new NotCompromisedPassword constraint to
validate that the given password hasn't been compromised:

Internally, the constraint makes an HTTP request to the API provided by the
haveibeenpwned.com website. In the request, the validator doesn't send the
raw password but only the few first characters of the result of encoding it
using SHA-1.

For example, if the raw password is test, the SHA-1 hash is
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 and the validator only sends
a94a8 to haveibeenpwned.com (the first five characters of the SHA-1
hash). This is called "k-anonymity password validation" and is fully
explained in this blog post by Cloudflare.

The HTTP request is made with the new HttpClient component added in Symfony 4.3
and which will we introduced soon in a dedicated blog post.

The implementation does not send the password to haveibeenpowned, it sends a hash of the 5 first characters, and then compares the password to a list returned by the API ("k-anonymity model"). So it is safe :)
That's a great addition!

I think it's a great idea to provide a validation component for passwords into the framework using this functionality. I just wonder why make it a specific Symfony component as many frameworks out there have validation components.

I provided a Composer package "dragonbe/hibp" for the purpose making password validation available to everyone independent from the framework. And to prevent the rebuilding of logic, wouldn't it be better if we have one common base component with each framework implementing that base component? For details, see https://packagist.org/packages/dragonbe/hibp and yes, I accept PR's to make it better suited for all the frameworks.

@Michelangelo van Dam there's nothing "Symfony specific" here. This is shipped in a standalone component, exactly like yours, except that this is backed by all standard maintainance processes of the project.